Privacy preferences roaming and enforcement

ABSTRACT

The invention comprises a system and method for management of Web users&#39; privacy preferences. In the distributed system, a Web user has a single set of privacy preferences. The single set of privacy preferences and any of its modifications are propagated among Web browsers and Web services. The user&#39;s own privacy preferences are enforced at Web services based on the requester&#39;s privacy policies.

BACKGROUND OF THE INVENTION

[0001] 1. Technical Field

[0002] The invention relates generally to Internet based centralizeduser privacy preferences management technology. More particularly, thisinvention relates to a system and method for user privacy preferencesroaming among clients and Web services and privacy enforcement at Webservices base on the requesters' privacy policies.

[0003] 2. Description of the Prior Art

[0004] The Platform for Privacy Preferences Project (P3P), developed bythe World Wide Web Consortium, is emerging as an industry standardproviding a simple, automated way for users to gain more control overthe use of personal information on Web sites they visit. P3P has beendesigned to promote privacy and trust on the Web by enabling Webservices to disclose their information practices, and enabling Web usersto make informed decisions about the collection and use of theirpersonal information.

[0005] P3P is an important building block of a new privacy protectionconcept that increasingly focuses on transparency and market-economyelements. At its most basic level, P3P is a standardized set ofmultiple-choice questions, covering all the major aspects of a Website's privacy policies. Taken together, they present a clear snapshotof how a site handles personal information about its users. P3P-enabledWeb sites make this information available in a standard,machine-readable format. P3P-enabled browsers can read this snapshotautomatically and compare it to the consumer's own set of privacypreferences. P3P enhances user control by putting privacy policies whereusers can find them, in a form users can understand, and, mostimportantly, enables users to act on what they see.

[0006] P3P allows users' Web browsers to understand Web sites' privacypractices automatically. Privacy policies are embedded in the code of aWeb site. Browsers read the policy, and then, automatically providecertain information to specific Web sites based on the preferences setby the users and stored as a User Preference file on the user'scomputer. The User Preference file specifies what kinds of practices theuser will accept, what kinds should be rejected, and what kinds shouldcause the program to prompt the user to decide how to respond.

[0007] The P3P specification provides syntax for specifying privacypolicies, privacy preferences (APPEL) and a protocol for exchanginginformation between the Web site and user agent. Sophisticatedpreferences may be difficult for end-users to specify, even throughwell-crafted user interfaces. An organization can create a set ofrecommended preferences for users. Users who trust that organization caninstall a pre-defined rule set rather than specifying a new set fromscratch. It will be easy to change the active rule set on a singlecomputer, or to carry a rule set to a new computer.

[0008] Categories are vital to making P3P user agents easier toimplement and use; they allow users to express more generalizedpreferences and rules over the exchange of their data. Categories areoften included when defining a new element or when referring to datathat the user is prompted to type in, as opposed to data stored in theuser data repository. Categories themselves are not data-elements, butare a more generalized description of a set of single data-elements,which belong to this category.

[0009] Using the policy-reference-file, by defining realms in the headerof the answer, servers can not only define different policies on thesame server, but also a same policy for different servers. To definedifferent policies on the same server can be useful, when there arepages, that can be browsed and where the service does not collect anydata and other pages for shopping or feedback, where data is collectedand a certain purpose would be addressed.

[0010] The first major commercial user agent implementation of P3P isMicrosoft's Internet Explorer 6 Web browser released in the summer of2001, which is focused on cookie blocking. Other P3P software (forexample, the AT&T Privacy Bird) uses the full P3P policy moreextensively than it is used in IE6. IBM released a P3P policy editortool that Web sites can use to create their P3P policies. This tool hasbeen used by many of the Web sites that adopted P3P.

[0011] After all, only few user agents now support P3P privacypreferences. Even these user agents have implemented only partialsolutions such as merely dealing with cookies. These browser based P3Pprivacy preferences are only applicable when the user is using thatparticular browser. In addition, because Web services design theiraccess control languages, such as XACML (an XML specification forexpressing policies for information access over the Internet) from OASISand HSDL from Microsoft's .NET MyServices, Web users are required tomanage multiple sets of privacy preferences, each specified in differentlanguages or tools. Further, none of the Web services enforces user'sprivacy preferences according to requester's P3P policies.

[0012] Therefore, there is a need for a mechanism according to which auser has only a single set of privacy preferences and this singleprivacy preferences and any of its modifications are propagated amongWeb browsers and Web services. What is further needed is that the user'sprivacy preferences are enforced at Web services based on therequester's privacy policies.

SUMMARY OF THE INVENTION

[0013] The invention provides a system and method for management of Webusers' privacy preferences. In the distributed system, a Web user has asingle set of privacy preferences. The single set of privacy preferencesand any of its modifications are propagated among Web browsers and Webservices. The user's own privacy preferences are enforced at Webservices based on the requester's privacy policies. The solution givesWeb users integrated control over their online privacy relationships andenhances trust between Web service providers and Web users.

[0014] According to one aspect of the invention, each user has a singleset of privacy preferences. A user can make changes of their privacypreferences at either his preferred browsers or services. For example, auser could apply P3P preference editor to create his privacy preferencesand then import it into his preferred browser. Alternatively, a user canmodify his privacy preferences through permission prompts created by Webservices.

[0015] According to another aspect of the invention, a user's privacypreferences and their changes are propagated among web browsers and webservices.

[0016] 1. Propagation from Web Services to Web Browser:

[0017] When a user signs up a Web service provider (WSP) via a browserwithout P3P privacy preferences, the WSP offers default privacypreferences to the user, and the user can then make necessarymodification on the preferences. The result privacy preferences is sentback to user's browser as HTTP response.

[0018] In another situation, after a user replied to a permission promptwhether a Web service consumer site (WSC) could access user data on aWSP, the Web service examines whether the user's privacy preferencesshould be changed. If so, the delta of privacy preference changes ispropagated from Web services to the Web browser. If the permissionmessage is hosted by the WSP, then the preference changes are sent backfrom the WSP to the browser via HTTP response header for user'sresponse. Otherwise, if the permission message is hosted by the WSC,then the preference changes are sent back from the WSP to the browser intwo steps: first, SOAP response header is sent from the WSP to the WSC;and second, HTTP response header is sent from the WSC to the browser.

[0019] 2. Propagation from Web Browser to Web Services:

[0020] When a user signs up a Web service via a browser with P3Ppreferences, the user's privacy preferences is copied from the browserinto the new Web service, and the browser records the URL of this newWeb service in its ServicePrivacyURLs file, which consists of the URLsof all Web services which contain a copy of user's privacy preferences.

[0021] After a user modified his privacy preferences in a browser, foreach URL within the ServicePrivacyURLs file, the user's modified privacypreferences is propagated from the browser to the corresponding Webservices.

[0022] According to another aspect of the invention, users' privacypreferences are enforced at Web services based on the requester's P3Ppolicies. Consider a case that a user accesses the Web site WSC, whichin turn accesses a Web service WSP. Web service WSP classifies its userdata in terms of P3P categories. This can be done via a list ofP3P<DATA-STRUCT> elements. The service request from the WSC to the WSPincludes p3pReferenceURL, p3 pModificationTime, and userAccessURL.

[0023] Web service WSP then decides whether it needs to update its localcache of WSC's P3P policies/references info based on the incomingparameters p3pReferenceURL+p3 pModificationTime. If so, pull WSC's P3Ppolicies/references information and update local cache appropriately.

[0024] The WSP then identifies the WSC's P3P policy used atuserAccessURL and evaluate user's privacy preferences against WSC's P3Ppolicies to determine whether the service request is allowed or not.

[0025] If user prompt is needed, the WSP prompts users directly orindirectly via the WSC for permission. Response to this permissionprompt can result in the changes of the user's privacy preferences.

BRIEF DESCRIPTION OF THE DRAWINGS

[0026]FIG. 1 is a schematic flow diagram illustrating a method 100 ofpropagating a user's privacy preferences from Web services to Webbrowser;

[0027]FIG. 2 is a schematic flow diagram illustrating a method 200 ofpropagating a user's privacy preferences from a Web browser to Webservices; and

[0028] FIGS. 3A-3C are schematic diagrams collectively illustrating amethod 300 of enforcing a user's privacy preferences at Web servicesbased on the requester's P3P policies.

DETAILED DESCRIPTION OF THE INVENTION

[0029] Terminology

[0030] The following terms shall have the meaning associated therewithfor purposes of the discussion herein;

[0031] Data Element—An individual data entity, such as last name ortelephone number.

[0032] Data Category—A significant attribute of a data element or dataset that may be used by a trust engine to determine what type of elementis under discussion, such as physical contact information. Categoriesprovide hints to users and user agents as to the intended uses of thedata.

[0033] Data Set—A known grouping of data elements, such asuser.home-info.postal.

[0034] Policy—A collection of one or more privacy statements togetherwith information asserting the identity, URI, assurances, and disputeresolution procedures of the service covered by the policy.

[0035] Practice—The set of disclosures regarding data usage, includingpurpose, recipients, and other disclosures.

[0036] Preference—A rule, or set of rules, that determines whataction(s) a user agent will take. A preference might be expressed as aformally defined computable statement such as the APPEL preferenceexchange language.

[0037] Service—A program that issues policies and (possibly) datarequests. By this definition, a service may be a server (site), a localapplication, a piece of locally active code, such as an ActiveX controlor Java applet, or even another user agent. Typically, however, aservice is usually a Web site. In this specification the terms “service”and “Web site” are often used interchangeably.

[0038] Service Provider (Data Controller, Legal Entity)—The person orlegal entity which offers information, products or services from a Website, collects information, and is responsible for the representationsmade in a practice statement.

[0039] SOAP—Simple Object Access Protocol, which provides a way forapplications to communicate with each other over the Internet,independent of Platform. SOAP relies on XML to define the format of theinformation and then adds the necessary HTTP headers to send it.

[0040] Statement—A P3P statement is a set of privacy practicedisclosures relevant to a collection of data elements.

[0041] URL—Abbreviation of Uniform Resource Locator, the global addressof documents and other resources on the World Wide Web. The first partof the address indicates what protocol to use, and the second partspecifies the IP address or the domain name where the resource islocated.

[0042] User—An individual (or group of individuals acting as a singleentity) on whose behalf a service is accessed and for which personaldata exists. P3P policies describe the collection and use of personaldata about this individual or group.

[0043] User Agent—A program whose purpose is to mediate interactionswith services on behalf of the user under the user's preferences. A usermay have more than one user agent, and agents need not reside on theuser's desktop, but any agent must be controlled by and act on behalf ofonly the user. The trust relationship between a user and his agent maybe governed by constraints outside of P3P. For instance, an agent may betrusted as a part of the user's operating system or Web client, or as apart of the terms and conditions of an ISP or privacy proxy.

[0044] The invention provides a system and method for P3P privacypreferences roaming and enforcement. In this system, each user has asingle set of privacy preferences. The user can make changes of hispreferences at his preferred browsers or services. For example, a usercan apply P3P preference editor to create his privacy preferences andthen import it into his preferred browser. Alternatively, the user canmodify his privacy preferences through permission prompts created by Webservices.

[0045]FIG. 1 is a schematic flow diagram illustrating a method 100 ofpropagating a user's privacy preferences from Web service to Webbrowser. The method comprises the following steps:

[0046] Step 11 a: The user signs up a WSP 102 via browser 101 withoutP3P preferences;

[0047] Step 11 b: WSP 102 returns “default privacy preferences” to thebrowser 101, which then records WSP 102's URL in its ServicePrivacyURLsfile;

[0048] Step 11 c: The user visits a Web Service Consumer (hereinafter asWSC) 103;

[0049] Step 11 d: If a user prompt is returned from the WSP 102 via WSC103, then WSC 103 sends the user's “permission” to WSP 102;

[0050] Step 11 e: WSP 102 checks whether the browser 101 needs to beupdated;

[0051] Step 11 f: It the check result in step 11 e is yes, then WSP 102informs WSC 103 to update browser 101 with the “privacy preferences”(SOAP response header from WSP to WSC);

[0052] Step 11 g: WSC 103 sends the privacy preference update to thebrowser 101 (HTTP response header from WSC to the browser);

[0053] Step 11 h: If the check result in step 11 e is no, then WSP 102acknowledges receiving of the user's “permission” forwarded by WSC 103;and

[0054] Step 11 i: WSC 103 replies the user's HTTP request.

[0055]FIG. 2 is a schematic flow diagram illustrating a method 200 ofpropagating a user's privacy preferences from Web browser to Webservices. The method comprises the following steps:

[0056] Step 21 a: The user signs up a Web service provider (WSP) 102 viabrowser 101 with P3P privacy preferences 104 a;

[0057] Step 21 b: WSP 102 requests the “privacy preferences” from thebrowser 101;

[0058] Step 21 c: The browser 101 sends a copy of the user's privacypreferences 104 b to WSP 102 and records the WSP 102's URL in thebrowser's ServicePrivacyURLs file which comprises a list of the URLs ofthese WSPs containing a copy of the “privacy preferences”;

[0059] Step 21 d: WSP 102 acknowledges the receiving of the user's“privacy preferences”;

[0060] Step 21 e: The user modifies the “privacy preferences” on thebrowser 101;

[0061] Step 21 f: The browser 101 updates all registered WSPs about theupdated “privacy preferences”.

[0062] FIGS. 3A-3C are schematic diagrams collectively illustrating amethod 300 of enforcing a user's privacy preferences at Web servicesbased on a service requester's P3P policies. The method comprises thefollowing steps:

[0063] Step 31 a: A user accesses a Web site (WSC) 103;

[0064] Step 31 b: WSC 103 sends a service request to WSP 102, theservice request including the following data:

[0065] p3pReferenceURL, which is the URL of WSC's P3P policy referencefile;

[0066] p3 pModificationTime, which is the latest date/time when WSCmodified its P3P policies and/or reference file;

[0067] userAccessURL, which is the URL that the user tries to access atWSC.

[0068] Step 31 c: WSP 102 classifies the user data in terms of P3Pcategories. This could be done via a list of P3P<DATA-STRUCT> elements.For example:

[0069] <p3p: DATA-STRUC Tname=“myProfile.contact.name”structref=“#personname”><p3p:CATEGORIES><p3p:physical/><p3p:demographic/></p3p:CATEGORIES></p3p:DATA-STRUCT>

[0070] Step 31 d: WSP 102 decides whether it needs to update its localcache of WSC's P3P policies/references information based on the incomingparameters p3pReferenceURL and p3 pModificationTime;

[0071] Step 31 e: If the check result in step 31 d is yes, then WSP 102pulls WSC's P3P policies/references information and updates the localcache appropriately, and continues with step 31 f;

[0072] Step 31 f: If the check result in step 31 d is no, then WSP 102identifies the WSC's P3P policies used at the userAccessURL;

[0073] Step 31 g: WSP 102 evaluates the user's privacy preferencesagainst WSC's P3P policies;

[0074] Step 31 h: Checks whether the WSC's P3P policies exclude theuser's privacy policies;

[0075] Step 31 i: If the check result in step 31 h is no, then theservice request is allowed and WSP 102 gets data from the database 105as shown in FIG. 3B and replies to WSC 103;

[0076] Step 31 j: If the check result in step 31 h is yes, then WSP 102prompts the user directly or indirectly via WSC 103 for permission;

[0077] Step 31 k: Send the user's preference changes back to the browservia HTTP response header for the user's response.

[0078]FIG. 3C is a flow diagram illustrating the sub-steps of step 31 gin FIG. 3A:

[0079] Step 31 l: Identify the set of data fields that WSC is trying toaccess (for example, by executing XPath parsing);

[0080] Step 31 m: Identify the corresponding set of P3P categories byapplying the data-to-P3P-category mapping mentioned above; and

[0081] Step 31 n: Execute a preference evaluation algorithm by takinginput parameters such as (1) WSC P3P policy used at userAccessURL and(2) the set of P3P categories that WSC is trying to access.

[0082] Although the invention is described herein with reference to thepreferred embodiment, one skilled in the art will readily appreciatethat other applications may be substituted for those set forth hereinwithout departing from the spirit and scope of the invention.

[0083] Accordingly, the invention should only be limited by the claimsincluded below.

1. In a distributed network comprising a number of service providers anda number of clients communicatively coupled to each other via a network,wherein a number of users are registered with said service providersthrough said clients, each of the users having a single set of privacypreferences, a method for propagating a user's privacy preferences froma service to a browser comprising the steps of: signing up, by a user, aservice provider via a browser without privacy; returning, by saidservice provider, a set of default privacy preferences to said browser;accessing, by the user, a service consumer site; sending the user a userprompt for response; modifying, by the user, said privacy preferences;and returning said modified privacy preferences to said browser as aresponse.
 2. The method of claim 1, wherein said step of modificationcan be any of: using a preference editor to edit his privacy preferencesand importing the edited privacy preferences into his preferred browser;and changing said privacy preferences through permission prompts createdby any site visited.
 3. The method of claim 1, further comprising thesteps of: checking, by said service provider, whether said browser needsto be updated for said modified privacy preferences; if the check resultin said checking step is yes, then sending back said modified privacypreferences to said browser via a response header for the user'sresponse; updating said browser with said modified privacy preferences;if the check result in said checking step is no, then acknowledging, bysaid service provider, receipt of the user's permission; and replying,by said service consumer site, the user's request.
 4. The method ofclaim 1, further comprising the steps of: checking, by said serviceprovider, whether said browser needs to be updated for said modifiedprivacy preferences; if the check result in said checking step is yes,then sending a response header from said service provider to saidservice consumer site; sending a response header from said serviceconsumer site to said browser; updating said browser with said modifiedprivacy preferences; if the check result in said check step is no, thenacknowledging, by said service consumer site, receipt of the user'spermission; and replying, by said service consumer site, the user'srequest.
 5. In a distributed network comprising a number of Web serviceproviders and a number of clients communicatively coupled to each othervia the Internet, wherein a number of users are registered with said Webservice providers through said clients, each of the users having asingle set of privacy preferences, a method for propagating a user'sprivacy preferences from a Web browser to Web services comprising thesteps of: signing up, by a user, a Web service provider (WSP) via abrowser with P3P private preferences; requesting, by said WSP, saidprivacy preferences from said browser; sending, by said browser, saidprivacy preferences to said WSP; recording, by said browser, said WSP'sURL; and acknowledging, by said WSP, receipt of said privacypreferences.
 6. The method of claim 5, further comprising the steps of:modifying, by the user, said privacy preferences on said browser;updating said browser with said modified privacy preferences; andsending, by said browser, copy of said privacy preferences to each Website whose URL is recorded in said browser.
 7. The method of claim 6,wherein the user can perform said step of modification by using a P3Ppreference editor to edit said user's privacy preferences and importingthem into said browser.
 8. In a distributed network comprising a numberof Web service providers and a number of clients communicatively coupledto each other via the Internet, wherein a number of users are registeredwith said Web service providers through said clients, each of the usershaving a single set of privacy preferences, a method for enforcing auser's privacy preferences at Web services based on a servicerequester's P3P policies comprising the steps of: (a) accessing, by theuser, a Web service consumer site (WSC); (b) sending, by said WSC, aservice request to a Web service provider (WSP); (c) classifying, bysaid WSP, the user's data in terms of P3P categories; (d) checkingwhether said WSP needs to update its cache of said WSC's P3P policies;(e) if the check result in step (d) is yes, then updating said WSC's P3Ppolicies in said WSP's cache and continuing with step (f); (f) if thecheck result in step (d) is no, then identifying said WSC's P3P policiesbased on the data included in the service request; (g) evaluating theuser's privacy preferences against said WSC's P3P policies; (h) checkingwhether said WSC's P3P policies exclude the user's privacy preferences;(i) if the check result of the step (h) is no, then replying, by saidWSP, to said WSC; (j) if the check result in the step (h) is yes,prompting the user via said WSC for permission; and (k) sending theuser's preference changes back from said WSP to said browser via HTTPresponse header for the user's response.
 9. The method of claim 8,wherein the service request comprises: the URL of said WSC's P3Ppolicies and/or reference file; a timestamp of said WSC's lastmodification on its P3P policies and/or reference file; and the URL thatthe user used to access said WSC.
 10. The method of claim 8, wherein thestep (g) further comprises the steps of: identifying the set of datafields that said WSC is trying to access; identifying the correspondingset of P3P categories by applying data-to-P3P category mapping; andexecuting a preference evaluation algorithm by taking input parameters.11. The method of claim 10, wherein said input parameters comprise: saidWSC's P3P policies used at the URL that the user used to access saidWSC; and the set of P3P categories that said WSC tries to access.
 12. Anapparatus for propagating a user's privacy preferences from Web serviceto Web browser, comprising: at least one Web site; at least one client,said at least one client and said at least one Web site beingcommunicatively coupled to each other via the Internet; wherein a numberof users registered with said Web service providers through said atleast one client, each of the users having a single set of privacypreferences; wherein when a user signs up a Web service provider (WSP)via a browser without P3P private preferences, said WSP returns a set ofdefault privacy preferences to said browser; wherein the user modifiesthe default privacy preferences; wherein said WSP returns the modifiedprivacy preferences to said browser as HTTP response; and wherein saidbrowser updates with the modified privacy preferences.
 13. The apparatusof claim 12, wherein the user modifies said default privacy preferencesby any of: using a P3P preference editor to edit his privacy preferencesand importing the edited privacy preferences into his preferred browser;and changing said privacy preferences through permission prompts createdby any Web site he visited.
 14. An apparatus for propagating a user'sprivacy preferences from a Web browser to Web services, comprising: atleast one Web site; at least one client, said at least one client andsaid at least one Web site being communicatively coupled to each othervia the Internet; wherein a number of users registered with said Webservice providers through said at least one client, each of the usershaving a single set of privacy preferences; wherein when a user signs upa Web service provider (WSP) via a browser with P3P private preferences,said privacy preferences are copied to said WSP; wherein said browserrecords the URL of each Web site which receives a copy of said privacypreferences; wherein when said privacy preferences are modified in saidbrowser, said browser propagates the modified privacy preferences toeach Web site whose URL is recorded in said browser.
 15. The apparatusof claim 14, wherein the user can modify his privacy preferences byusing a P3P preference editor and import the modified privacypreferences into said browser.
 16. An apparatus for enforcing a user'sprivacy preferences at Web services based on a service requester's P3Ppolicies, comprising: at least two Web sites; at least one client, saidat least one client and said at least two Web sites beingcommunicatively coupled to each other via the Internet; wherein a numberof users registered with said Web service providers through said atleast one client, each of the users having a single set of privacypreferences; wherein when a user accesses a Web service consumer site(WSC) which in turn sends a service request to a Web service provider(WSP), said WSP classifies the user's data in terms of P3P categories;wherein said WSP updates its cache of said WSC's P3P policies whennecessary; wherein said WSP identifies said WSC's P3P policies based onthe data included in the service request and evaluates the user'spreferences against said WSC's P3P policies; wherein if said WSC's P3Ppolicies exclude the user's privacy preferences, then said WSP promptsthe user directly or indirectly via said WSC for permission and sendsthe user's preference changes back to said browser via HTTP responseheader for the user's response.
 17. The apparatus of claim 16, whereinthe service request comprises: the URL of said WSC's P3P policies and/orreference file; a timestamp of said WSC's last modification on its P3Ppolicies and/or reference file; and the URL that the user used to accesssaid WSC.
 18. The apparatus of claim 16, wherein WSP evaluates theuser's preferences against said WSC's P3P policies by: identifying theset of data fields that said WSC is trying to access; identifying thecorresponding set of P3P categories using data-to-P3P category mapping;and executing a preference evaluation algorithm by taking inputparameters.
 19. The method of claim 18, wherein said input parameterscomprise: said WSC's P3P policies used at the URL that the user used toaccess said WSC; and the set of P3P categories that said WSC tries toaccess.